A conservative, the saying used to go, is a liberal who has been mugged. I guess a Twitter security advocate is a Twitter user whose account has been hacked. I guess I was converted last night.
Twitter has been under attack for some time by spammers, and perhaps malware distributors, who have found a way to send users direct messages that seem to come for the accounts of people they follow. I got DMs yesterday with the text “This you????” and a dubious link. Then late yesterday evening, I got the first warning that phony DMs were being sent from my account with the message “hey, i’ve been having better sex and longer with this here” and a link to a phony Viagra site (I opened the link on a BlackBerry; whatever else you say about the crummy BlackBerry browser, it does seem to be malware-proof.)
I tried to change my password but was locked out of my account because of “excessive login attempts.” It wasn’t until early this morning, and after dozens of DMs had been sent out under my name, that I was able to at least secure the account. Many other Twitter users appear to have had the same experience. I did get an email from Twitter at around midnight Eastern suggesting that I change my password because my account “may have been compromised in a phishing attack.”
But I’m left with a big question of what if going on here and what I should do about it. There seem to be three possibilities: 1) The phishers compromised password security at Twitter itself. 2) They mounted the attack through a service connected to Twitter accounts, such as any of a large number of third-party Twitter clients. 3) They found a way to send out DMs that appear to be from user accounts without actually compromising passwords. Each of these possibilities calls for a different response both from Twitter and its users and it would be very useful to know what’s up.
So far, Twitter has not been forthcoming. A status post is a day old and badly out of date, and @safety isn’t any more helpful. I realize that a forensic investigation of what has happened is both difficult and time-consuming. And we have to remember that Twitter is a very small company; its headcount just passed the iconic 140.
The problem is that many of us are, perhaps without thinking about it very much, counting on Twitter to play an important role in our businesses. And these troubles come at a critical juncture, when Twitter is considering moving to an ad-based business model. I think that if Twitter is going to remain a vital service, it is going to have to grow up fast as a business, something that implies both a much more solid revenue stream and more responsiveness to customers. (In an ad-based model, Twitter would finally have customers who can demand service because they are paying for something; us free riders can’t really expect much for our money, but Twitters business viability depends on its big user base.)
Those are issues for the slightly longer term. right now, we simply need to know what is going on. How about it, @Ev and @Biz?